[NCLUG] tripwire

[Eric Dahlman]

Michael Dwyer <mdwyer at sixthdimension.com> writes:

> Daniel Herrington wrote:
> > I get errors emailed to root that say something about a cron job for
> > tripwire failing because I haven't initialized tripwire.  Why would I
> > want to initialize it? (besides getting rid of that email. ;-)  Is it
> > really that beneficial?
> 
> Tripwire watches for system files to change.  It is mostly a security
> tool.  It is able to alert you if someone, say, installs trojaned SSH or
> login binaries.  That said, it is beneficial.  On the other hand...
> 
>  o If you use RPM, then RPM's Verify option does much the same thing
>  o It is only as good as its initialized database.  It is possible that
> the same person who mucks with your binaries also mucks with Tripwire --
> for true security, it is suggested that you keep your tripwire
> signatures on a floppy in a safe or something...
> 
> It wouldn't hurt to initialize it, certainly.  And if you are dedicated
> to maintaining it, it is certainly good insurance against both security
> issues and Oopses on the part of the root user.

I might point out that if you don't know how to manage it it will be a
royal pain in the future.  The problem is that it will report any
changes you make to your system so if you say update your system to
ximian gnome then all 10 jillian files which were modified will show
up in the next report.  Until you figure out how to tell tripwire that
the changes were all kosher it will send you a new 400k (maybe not
that big) email every night. If you think that little message is
annoying wait until you get the huge ones.

I like to muck with my system and after a few battles with the effects
of an xemacs recompile I just took it out of the crontab.  It is
really meant for use in a stable configuration.

-Eric 


> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
> 

--